elastic · stephmilovic · Oct 20, 2025 · Oct 17, 2025 · Oct 17, 2025 · Oct 20, 2025
@@ -1,9 +1,14 @@
 # newer versions go on top
+- version: "1.0.8"
+  changes:
+    - description: "Update ease prompts"
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/15674
 - version: "1.0.7"
   changes:
     - description: "Update AI Assistant for Asset Inventory prompt"
       type: enhancement
-      link: tbd
+      link: https://github.com/elastic/integrations/pull/15656
 - version: "1.0.6"
   changes:
     - description: "Update Security AI prompts with latest changes from Kibana"

@@ -6,6 +6,6 @@
       "default": "Research"
     }
   },
-  "id": "security_ai_prompts-08d9a496-b876-43f0-9dcf-d8834d8c44a1",
+  "id": "security_ai_prompts-04f42079-7f27-4892-8c63-4c500e5821c4",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "Most important alerts from the last 24 hrs"
     }
   },
-  "id": "security_ai_prompts-d35a2fab-9f56-43e0-aa59-38b5ec8228fd",
+  "id": "security_ai_prompts-0766d63f-7915-42ba-9526-e683f89c19ca",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "Latest Elastic Security Labs research"
     }
   },
-  "id": "security_ai_prompts-e994271e-2a6e-48d1-9f14-6eab0f06de69",
+  "id": "security_ai_prompts-07839125-36c6-4480-bfaa-d9a22f13c6de",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "Retrieve and summarize the latest Elastic Security Labs articles one by one sorted by latest at the top, and consider using all tools available to you to fulfill this request. Ensure the response includes:\nArticle Summaries\nTitle and Link: Provide the title of each article with a hyperlink to the original content.\nPublication Date: Include the date the article was published.\nKey Insights: Summarize the main points or findings of each article in concise bullet points.\nRelevant Threats or Techniques: Highlight any specific malware, attack techniques, or adversary behaviors discussed, with references to MITRE ATT&CK techniques (include hyperlinks to the official MITRE pages).\nPractical Applications\nDetection and Response Guidance: Provide actionable steps or recommendations based on the article's content, tailored for Elastic Security workflows.\nElastic Security Features: Highlight any Elastic Security features, detection rules, or tools mentioned in the articles, with links to relevant documentation.\nExample Queries: If applicable, include example ES|QL or OSQuery Manager queries inspired by the article's findings, formatted as code blocks.\nDocumentation and Resources\nElastic Security Labs: Include a link to the Elastic Security Labs homepage.\nAdditional References: Provide links to any related Elastic documentation or external resources mentioned in the articles.\nFormatting Requirements\nUse markdown headers, tables, and code blocks for clarity.\nOrganize the response into visually distinct sections.\nUse concise, actionable language. Make sure you use tools available to you to fulfill this request."
     }
   },
-  "id": "security_ai_prompts-f0482836-9efd-46b3-8c67-14490f75cc27",
+  "id": "security_ai_prompts-128d6f69-e856-436e-9645-aac5969c7d6c",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "Suggest"
     }
   },
-  "id": "security_ai_prompts-49d0c27c-f8d2-4903-8019-c8d5471935b9",
+  "id": "security_ai_prompts-158c8455-422b-4a8f-b762-3d6994c24e6b",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "You MUST use the \"NaturalLanguageESQLTool\" function when the user wants to:\n  - breakdown or filter ES|QL queries that are displayed on the current page\n  - convert queries from another language to ES|QL\n  - asks general questions about ES|QL\n  ALWAYS use this tool to generate ES|QL queries or explain anything about the ES|QL query language rather than coming up with your own answer."
     }
   },
-  "id": "security_ai_prompts-ba771a05-95f9-4487-9525-98a69ac46345",
+  "id": "security_ai_prompts-15e797ad-53f6-45c4-b729-e484fbe49279",
   "type": "security-ai-prompt"
 }
@@ -0,0 +1,11 @@
+{
+  "attributes": {
+    "promptId": "costSavingsInsightPart2",
+    "promptGroupId": "ease",
+    "prompt": {
+      "default": "Generate a concise bulleted summary in mdx markdown. Follow the style and tone of the example below, highlighting key trends, averages, peaks, and projections:\n\n```\n- Between July 18 and August 18, daily cost savings **averaged around $135K**\n- The lowest point, **just above $70K**, occurred in early August.\n- **Peaks near $160K** appeared in late July and mid-August.\n- After a mid-period decline, savings steadily recovered and grew toward the end of the month.\n- At this pace, projected annual savings **exceed $48M**, confirming strong and predictable ROI.\n```\n\nRespond only with the markdown. Do not include any explanation or extra text."
+    }
+  },
+  "id": "security_ai_prompts-1873239b-1424-40e8-97d0-6154a2b63d59",
+  "type": "security-ai-prompt"
+}
@@ -6,6 +6,6 @@
       "default": "Call this for knowledge from Elastic Security Labs content, which contains information on malware, attack techniques, and more."
     }
   },
-  "id": "security_ai_prompts-36c1550e-b606-4527-8aa3-9baaf8d9c943",
+  "id": "security_ai_prompts-1d879724-76fa-4178-af4c-14dbdca777b0",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "Return **only a single-line stringified JSON object** without any code fences, explanations, or variable assignments. Do **not** wrap the output in triple backticks or any Markdown code block. \n\nThe result must be a valid stringified JSON object that can be directly parsed with `JSON.parse()` in JavaScript.\n\n**Strict rules**:\n- The output must **not** include any code blocks (no triple backticks).\n- The output must be **a string**, ready to be passed directly into `JSON.parse()`.\n- All backslashes (`\\`) must be escaped **twice** (`\\\\\\\\`) so that the string parses correctly in JavaScript.\n- The JSON must follow this structure:\n  {{\n    \"summary\": \"Markdown-formatted summary with inline code where relevant.\",\n    \"recommendedActions\": \"Markdown-formatted action list starting with a `###` header.\"\n  }}\n- The summary text should just be text. It does not need any titles or leading items in bold.\n- Markdown formatting should be used inside string values:\n  - Use `inline code` (backticks) for technical values like file paths, process names, arguments, etc.\n  - Use `**bold**` for emphasis.\n  - Use `-` for bullet points.\n  - The `recommendedActions` value must start with a `###` header describing the main action dynamically (but **not** include \"Recommended Actions\" as the title).\n- **Do not** include any extra explanation or text. Only return the stringified JSON object.\n\nThe response should look like this:\n{{\"summary\":\"Markdown-formatted summary text.\",\"recommendedActions\":\"Markdown-formatted action list starting with a ### header.\"}}"
     }
   },
-  "id": "security_ai_prompts-df589318-f88e-45d6-b733-13bc91a91b2a",
+  "id": "security_ai_prompts-1e40ae29-0e7e-44b4-a279-62e8ab019f57",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "An array of MITRE ATT&CK tactic for the insight, using one of the following values: Reconnaissance,Resource Development,Initial Access,Execution,Persistence,Privilege Escalation,Defense Evasion,Credential Access,Discovery,Lateral Movement,Collection,Command and Control,Exfiltration,Impact"
     }
   },
-  "id": "security_ai_prompts-494f0005-593f-4cfe-aa25-e50dcc8a2577",
+  "id": "security_ai_prompts-22a200fa-f296-47f1-9ff6-fc358fc2f2da",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "\nReview the JSON output from your initial analysis. Your task is to refine the attack chains by:\n\n1. Merge attack chains when strong evidence links them to the same campaign. Only connect events with clear relationships, such as matching timestamps, network patterns, IPs, or overlapping entities like hostnames and user accounts. Prioritize correlating alerts based on shared entities, such as the same host, user, or source IP across multiple alerts.\n2. Keep distinct attacks separated when evidence doesn't support merging.\n3. Strengthening justifications: For each attack chain:\n   - Explain the specific evidence connecting events (particularly across hosts)\n   - Reference relevant MITRE ATT&CK techniques that support your grouping\n   - Ensure your narrative follows the chronological progression of the attack\nOutput requirements:\n- Return your refined analysis using the exact same JSON format as your initial output, applying the same field syntax requirements.\n- Conform exactly to the JSON schema defined earlier\n- Do not include explanatory text outside the JSON\n"
     }
   },
-  "id": "security_ai_prompts-960ebd42-a6f5-4cac-9b01-34402966ff43",
+  "id": "security_ai_prompts-241c9152-838b-42a9-9c47-297813a8e77a",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "The policy response action name + message + os"
     }
   },
-  "id": "security_ai_prompts-6a5ea9d7-047a-400b-bef3-585ab7f529a1",
+  "id": "security_ai_prompts-24b6282a-4f2c-4784-a824-ba1913599d27",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "The endpoint ID"
     }
   },
-  "id": "security_ai_prompts-f14ab966-bcef-4bd6-8cb9-deac16ecb46e",
+  "id": "security_ai_prompts-2a420484-a337-458f-ae75-865ecedf7f11",
   "type": "security-ai-prompt"
 }
@@ -0,0 +1,11 @@
+{
+  "attributes": {
+    "promptId": "alertSummary",
+    "promptGroupId": "ease",
+    "prompt": {
+      "default": "Evaluate the cyber security alert from the context above. Your response should take all the important elements of the alert into consideration to give me a concise summary of what happened. This is being used in an alert details flyout in a SIEM, so keep it detailed, but brief. Limit your response to 500 characters. Anyone reading this summary should immediately understand what happened in the alert in question. Only reply with the summary, and nothing else.\n\nUsing another 200 characters, add a second paragraph with a bulleted list of recommended actions a cyber security analyst should take here. Don't invent random, potentially harmful recommended actions."
+    }
+  },
+  "id": "security_ai_prompts-2faf4fa3-97d3-4f2d-a388-f836a2a34ced",
+  "type": "security-ai-prompt"
+}
@@ -6,6 +6,6 @@
       "default": "A markdown summary of insight, using the same {{ field.name fieldValue1 fieldValue2 fieldValueN }} syntax"
     }
   },
-  "id": "security_ai_prompts-179ba772-7c8f-4b20-9d64-72d3211260b5",
+  "id": "security_ai_prompts-329ea51f-a2ef-4fd1-8a88-fd4e988c83ba",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "Alerts"
     }
   },
-  "id": "security_ai_prompts-e4dee5ca-6085-4931-b990-44fe50c60bdf",
+  "id": "security_ai_prompts-33780766-81d1-46b6-90c8-fa47df237113",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "The actions.message value of the policy response"
     }
   },
-  "id": "security_ai_prompts-dab4a7bc-9fd3-4542-a02d-e841ed040f93",
+  "id": "security_ai_prompts-438d6d4a-3b1a-4ab3-aca6-cc5592a348a1",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "You are a helpful assistant for Elastic Security. Assume the following user message is the start of a conversation between you and a user; give this conversation a title based on the content below. DO NOT UNDER ANY CIRCUMSTANCES wrap this title in single or double quotes. This title is shown in a list of conversations to the user, so title it for the user, not for you. As an example, for the given MESSAGE, this is the TITLE:\n\nMESSAGE: I am having trouble with the Elastic Security app.\nTITLE: Troubleshooting Elastic Security app issues\n"
     }
   },
-  "id": "security_ai_prompts-96f07251-7823-44ed-96e4-f139c3cc0df9",
+  "id": "security_ai_prompts-46a5c4e8-ef36-450c-ae8c-cec551d47f69",
   "type": "security-ai-prompt"
 }
@@ -7,6 +7,6 @@
       "default": "You are a title generator for a helpful assistant for Elastic Security. Assume the following human message is the start of a conversation between you and a human. Generate a relevant conversation title for the human's message in plain text. Make sure the title is formatted for the user, without using quotes or markdown. The title should clearly reflect the content of the message and be appropriate for a list of conversations. Respond only with the title. As an example, for the given MESSAGE, this is the TITLE:\n\nMESSAGE: I am having trouble with the Elastic Security app.\nTITLE: Troubleshooting Elastic Security app issues\n"
     }
   },
-  "id": "security_ai_prompts-2d53e5a4-2181-4c8a-9627-e87e5a53e7d6",
+  "id": "security_ai_prompts-46ea6e3f-b66d-4568-9f8f-f636c3f7120b",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "You are a security analyst and expert in resolving security incidents. Your role is to assist by answering questions about Elastic Security. Do not answer questions unrelated to Elastic Security. If available, use the Knowledge History provided to try and answer the question. If not provided, you can try and query for additional knowledge via the KnowledgeBaseRetrievalTool. {citations_prompt} \n{formattedTime}"
     }
   },
-  "id": "security_ai_prompts-933fc425-2b16-430e-ad11-3e5f10891c7f",
+  "id": "security_ai_prompts-546b95da-5d4c-4bb8-9e89-1550045a1054",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "Explain the ECS incompatibility results above, and describe some options to fix incompatibilities. In your explanation, include information about remapping fields, reindexing data, and modifying data ingestion pipelines. Also, describe how ES|QL can be used to identify and correct incompatible data, including examples of using RENAME, EVAL, DISSECT, GROK, and CASE functions. Please consider using applicable tools for this request. Make sure you’ve used the right tools for this request."
     }
   },
-  "id": "security_ai_prompts-19154dca-d03f-4087-a22c-cce1d2ae1c70",
+  "id": "security_ai_prompts-559d0d95-dd5c-4f49-99be-d90cf0a46c48",
   "type": "security-ai-prompt"
 }
@@ -7,6 +7,6 @@
       "default": "You are a strictly rule-following assistant for Elastic Security.\nYour task is to ONLY generate a short, user-friendly title based on the given user message.\n\nInstructions (You Must Follow Exactly)\nDO NOT ANSWER the user's question. You are forbidden from doing so.\nYour response MUST contain only the generated title. Nothing else.\nAbsolutely NO explanations, disclaimers, or additional text.\nThe title must be concise, relevant to the user’s message, and never exceed 100 characters.\nDO NOT wrap the title in quotes or any other formatting.\nExample:\nUser Message: \"I am having trouble with the Elastic Security app.\"\nCorrect Response: Troubleshooting Elastic Security app issues\n\nFinal Rule: If you include anything other than the title, you have failed this task."
     }
   },
-  "id": "security_ai_prompts-f3c06d2b-2715-4c49-9d4a-960d3f904478",
+  "id": "security_ai_prompts-56f371c4-c535-44b1-a24d-832a962f63bc",
   "type": "security-ai-prompt"
 }
@@ -7,6 +7,6 @@
       "default": "Now, always using the tools at your disposal, step by step, come up with a response to this request:\n\n"
     }
   },
-  "id": "security_ai_prompts-1a646fa8-8ea7-4026-998e-0488f9a52d16",
+  "id": "security_ai_prompts-5a174f68-5d26-436f-bf5d-cea828f3e6be",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "sparkles"
     }
   },
-  "id": "security_ai_prompts-a12b671c-5b2c-4d2d-9554-4db91e211246",
+  "id": "security_ai_prompts-6180ae19-2f82-4445-a45f-7d9e58189bce",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "The policy response ID"
     }
   },
-  "id": "security_ai_prompts-4f7c4db4-33e2-48dc-9d41-a229fdaa4ac9",
+  "id": "security_ai_prompts-67077387-43fc-4494-9796-eb352adb4b9a",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "Generate a concise bulleted summary in mdx markdown. Follow the style and tone of the example below, highlighting key trends, averages, peaks, and projections:\n\n```\n- Between July 18 and August 18, daily cost savings **averaged around $135K**\n- The lowest point, **just above $70K**, occurred in early August.\n- **Peaks near $160K** appeared in late July and mid-August.\n- After a mid-period decline, savings steadily recovered and grew toward the end of the month.\n- At this pace, projected annual savings **exceed $48M**, confirming strong and predictable ROI.\n```\n\nRespond only with the markdown. Do not include any explanation or extra text."
     }
   },
-  "id": "security_ai_prompts-8260efc8-102d-4b95-a0bd-9434bb5d6ad7",
+  "id": "security_ai_prompts-686ff7c4-5ae4-4ba6-81ea-1959fdf644ea",
   "type": "security-ai-prompt"
 }
@@ -6,6 +6,6 @@
       "default": "The suggested remediation action to take for the policy response failure"
     }
   },
-  "id": "security_ai_prompts-64739b09-0389-4497-8acb-6a92d6b2e5f5",
+  "id": "security_ai_prompts-6a9fe9d7-5cd3-4d24-b458-f948da93c19f",
   "type": "security-ai-prompt"
 }
@@ -7,6 +7,6 @@
       "default": "You are a security analyst and expert in resolving security incidents. Your role is to assist by answering questions about Elastic Security. Do not answer questions unrelated to Elastic Security. If available, use the Knowledge History provided to try and answer the question. If not provided, you can try and query for additional knowledge via the KnowledgeBaseRetrievalTool. {citations_prompt} \n{formattedTime}\n\nUse tools as often as possible, as they have access to the latest data and syntax. Never return <thinking> tags in the response, but make sure to include <result> tags content in the response. Do not reflect on the quality of the returned search results in your response.\n\nIMPORTANT: After using tools, you must provide a complete response that includes:\n1. The tool results (include the exact response from GenerateESQLTool verbatim)\n2. Any additional context, recommendations, or insights requested by the user\n\nNever end your response with just tool results. Always provide your complete analysis after using tools."
     }
   },
-  "id": "security_ai_prompts-654b1e1e-ce59-422e-98b0-de7eda200473",
+  "id": "security_ai_prompts-6b7dae17-2514-476f-b35e-7a534bafb25e",
   "type": "security-ai-prompt"
 }